I came along this article and as a cs major myself taken 2 computer security classes already, it is quite an interesting question to ask, should I be proud to be a hacker? Well for now, I can’t label myself as a hacker cause I never hacked anything real and I probably shouldn’t. But in my opinion, I am sure some of my fellow classmates would agree with me, that hacker is not a easy to get label and it is a recognition for a computer person. There are hackers doing bad things, taking advantages of the technology vulnerabilities but “hacker” has more meanings now.

According to the article “The word is not the evil word it used to be because companies now employ people who legitimately call themselves ‘white hat hackers,’ ” said Doug Jacobson, the head of Iowa State University’s highly regarded information assurance program. “People make a living doing this legitimately. The word has lost that tone of evil.” From the news, a lot of the top hackers are hired by top companies like Google, Microsoft, Apple and the list goes on. Here is a news about “twitter hiring one of the best iphone hackers to protect the tweets.” Hackers are smart people. The best way to protect something is first to understand where are the weak points.There Twitter wanted someone who understand the system’s vulnerability in iOS when they started the deeper integration with iPhone.

Many companies also have high rewards for hackers who found serious vulnerabilities. From this link, Goole rewarded $60,000 to a security researcher who cracked its Chrome web browser during a hacking contest.And another link , Facebook would expand rewards for hackers. In the article Ryan McGeehan, who manages Facebook’s security-incident response unit, is quoted as saying: “If there’s a million-dollar bug, we will pay it out.”

I think my point is that nowadays, “hacker” shouldn’t be related to evil and crime, not just in the techy nerdy circle but also for general public to see the values good hacker, also known as white hat provides. As technology gets more impact in our everyday life, and companies like Facebook and Google become more like everyday brands, the public has more exposure to the underground mysterious hacker news. People also look at the things more on defensive side than the offensive side. Like the end of the article, hopefully one day, my mom won’t think being a hacker means I am a criminal.

Some 2-3 weeks backs when I was doing facebook, i suddenly got a pop message from an unknown person which has a link for some random video. At that time i didn’t pay any attention to that and continue doing my work, but today when i was reading this blog i came to know that it was actually a malware attack.

The working of this malware could be understood from this flowchart . where in which a random chat window open in Facebok login with some video link and as usual people/user tends to click that link in order to watch it but what really happens is malware gets downloaded (drive by download attack) and infect the machine. After this happens series of events like it makes a hole  in the firewall policy of the system by using netsh command or by modifying the registry. At this time it even disables the updates of windows and antimalware scanners keeping the system at the mercy of the attacker. After this it drops the path in the startup so that it starts next time automatically when the system reboots. The malware changes the home pag of all the native browsers like explorer, firefox and chrome. The folowing image shows the command the malware received from the attacker :

Through this command file attacker tries to checks all the chat window of the victims and spread the same type of attack and duplicated over other chat windows also, for example in case of skype attacker uses PostMessageA to post the comment.

Though the spread of worm could be stopped very easily by just killing all the running instances of it and cleaning up the registry. But the things that need to keep in mind while doing social networking is trying avoiding the clicking link from any unsolicited person as it may be an attack to the privacy of your data, these type of attack could only be stopped by knowledge of these attacks.

While it seems that bank’s two-factor authentication mechanisms work quite securely, a new Trojan called Zeus circumvented banking authentication and looted an estimated €36 million, or $47 million, from about 30.000 European bank accounts this summer. They targeted 30 banks which are located in Italy, Germany, Holland and Spain. In order to operate their information hijacking, they used a well-known technique to trick users and that was drive-by-download.

Like similar malwares it intrigues people to click on a link in a malicious email or direct them into a compromised server and infect their computers with Zeus. This malware remains on the victims computer till the user starts an online banking session and sets a cell phone number in the profile. Instantaneously the malware send the information to the command and control server which subsequently sends a SMS massage to the user providing a link for upgrading banking software security. Clicking on the link, which seems logical to the user, would lead to downloading ZITMO Trojan(Zeus in the mobile). In this situation even the Transaction Authentication Number (TAN) which provides extra security does not work efficiently.

Although recently Check Point Versafe worked with Europeans law enforcement and Internet Service Providers to shut down the C&C servers there could be the chance for Zeus Campaign to apply a more complex attacking architecture to hide their C&C servers like what we saw in a paper earlier in this semester.

One issue is interesting about this Trojan. While two-factor authentication is not as widespread as Europe there was no reason why these kind of attacks cannot be used against American Banks (for instance by choosing Wells Fargo as a victim).

Since users often due to their lack of knowledge or unintentional mistakes are prone to do unsafe actions, we, as security guys, should control other parts of information hijacking chain to protect users. (Look at this nice figure)Based upon what has been mentioned in a paper earlier this semester we can conclude the weakest part of this chain is the bank and need to be protected by law enforcement.

References:

http://www.net-security.org/malware_news.php?id=2344

http://securitywatch.pcmag.com/none/299291-fake-android-security-app-is-mobile-zeus-malware-in-disguise

http://securitywatch.pcmag.com/none/305682-zeus-campaign-stole-47-million-from-european-banks

http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29

While reading about hot viruses I found recently  Symantec come across a new sophisticated threat which targets “corporate databases”. They detect this malware as W32. Narilam. This malware sabotage database entities of accounting softwares and replace them with random data. Like other malwares, Narilam copies itself to the infected machine and then adds registry keys and finally infects removable drives and spread through networks. But what is unique about this malware is that it can update Microsoft SQL databases if it is accessible by OLEDB protocol. (OLE DB provides interfaces that expose data from variety of sources and also provides an amount of DBMS functionality needed.)

The strange idea that I found about this virus is that it only look for specific database names used in the small business accounting software of an Iranian company. Then it replaces specific objects and tables rather than just uploading data to command-and-control servers.

Although it turns out that this virus is not a cyber-weapon on the scale of Stuxnet (http://vimeo.com/25118844), It is really the targeted nature of the malware that needs to be understood and addressed. Not too long ago, small and midsize businesses could rightfully consider themselves immune to targeted attacks and malware, as the size of the business didn’t create enough of a reward to be worth the risk to the attacker. With cloud computing and powerful analytics allowing midsize businesses to harness unimaginable amounts of data, their data stores and lax security make them the perfect target for attackers.

Hopefully, the damage that a worm like Narilam can do will be enough to convince IT manager of the need for powerful, consistent security measures. While locking down systems is rarely possible or profitable, ensuring that employees understand the importance of proper security precautions can greatly diminish malware’s ability to infect a system and spread out from there.

Between employee education and proper anti-malware software, the threat of destruction from malware is significantly diminished, but only if the right people remain vigilant.

References:

http://securitywatch.pcmag.com/none/305296-database-modifying-malware-narilam-a-corporate-sabotage-tool

http://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage

http://midsizeinsider.com/en-us/article/is-narilam-malware-something-to-worry-ab

http://msdn.microsoft.com/en-us/library/windows/desktop/ms722784%28v=vs.85%29.aspx

I recently came across a cool plugin called “HTTPS Everywhere”, created by EFF and the Tor Project.  It automatically switches thousands of sites from insecure “http” to secure “https”.  It will protect you against many forms of surveillance and account hijacking, and some forms of censorship.

What is HTTPS and why should we use it instead of HTTP? There is a nice metaphor about using HTTP to log in to internet service — it’s the same as write your username and passwords on a postcard and mail it for the world to see.

While https are protecting users against session hijacking attacks and man-in-the middle attacks, not every website are using it, mainly because of 1) people are ignorant 2) HTTPS is slower and requires more performance on the server.

After the famous “firesheep” firefox plugin, the awareness of the importance of https have risen to gain most website’s attention. For instance, major sites like Google, Twitter, Facebook etc have all moved their sites entirely to HTTPS.

The migration isn’t that easy though. Facebook spent the last two years making infrastructure improvements so that its transition of all its users to HTTPS which starts in last month will “slow down connections only slightly.”

Still, a lot sites are either using HTTP or just using HTTPS for the login page and using HTTP for the rest of their pages. So if you don’t want your online activity be within fingertips of the whole world given that free sniffer softwares are everywhere, use “HTTPS Everywhere” on your Chrome/Firefox to switch from HTTP to HTTPS.

Relevant Links:
http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/
http://codebutler.com/firesheep/
http://en.wikipedia.org/wiki/HTTP_Secure
http://techcrunch.com/2012/11/18/facebook-https/
http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html

By now, most users of internet e-mail clients are used to the disturbingly accurate ads that appear near one’s e-mail.  As is well known, your e-mail is scanned for various key words, and the ads are served up based on the contents of the e-mail.  In principle, this is not supposed to affect the integrity of your e-mail, because the contents of the e-mail are not shared with the advertiser – he only knows that an ad has been served and whether it has been clicked on.

Threat Model

However, further consideration reveals that this approach creates potential leaks of personal information to the advertiser.  Consider, for example, an advertiser who desires to gather certain pieces of personal information on a specific individual.  They know certain publicly available details on the individual, and are able to register an advertiser account with the e-mail / ad provider.  The advertiser can not directly access the user’s account, but can retrieve standard information, such as display counts, for their ads.

Attack

If the attacker chooses keywords in combinations that they are likely only to appear in e-mails to or from the individual in question, then they are able to construct ads that will only be shown when e-mails to or from this individual are displayed.  They may then add keywords containing information that they would like to exfiltrate, and see how frequently their ad is displayed.  If it appears more than a nominal number of times, there is a likelyhood that those keywords are present in the individual’s e-mail.

Example

Suppose, for example, an attacker who suspected that a certain individual worked on a specific, secret project.  They could create an ad account and insert an ad with the individual’s e-mail address and the name of the project as keywords.  If the ad was displayed frequently, it would suggest that the keyword appeared frequently in conjunction with the user, and thus suggest an involvement of the user with the project.

Notes

An ad provider could try to circumvent this sort of attack by only permitting keywords that appear with a certain level of frequency (unlike specific e-mail addresses.)  However, because combinations of common words may be quite rare and distinguishing, such an approach would not be sufficient to block the attack.  Only if the advertiser required frequently appearing keyword combinations could the attack be minimized.  Additionally, it is worth noting that the attack would be easy to disguise from a user, because most advertising agencies / e-mail providers do not share the keywords used to generate the ads shown to the user.  The ad itself could be made sufficiently generic that there would be no reason to expect any foul play.

While I have not tried out any such attack, attempting to execute it would be a worthwhile experiment, and a way of understanding one aspect of electronic privacy and e-mail security.